2.4.4 not working, how to rollback?



  • I have recently upgraded from WORKING 2.4.3 to 2.4.4. I see no reason to describe problem since it already discussed here. As I looking here on forums 2.4.4 have too many problems. Why 2.4.4 is not yet revoked? I have to rollback to WORKING 2.4.3. Where I can download it?



  • @wanttorollbacktoworkingrelease said in 2.4.4 not working, how to rollback?:

    Where I can download it?

    You can't. Update to 2.4.4p1 and then make a decent post with all the information possible so you can get help. Or continue having your hissy fit and then cry into your pillow.



  • Sorry for mistake, of course there is the latest (2.4.4p1) version.

    One of (and most important) is that CRL is now dead. Any operation with CRL fails with PHP error:

    Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56
    

    If CRL is assigned to OpenVPN server then webConfigurator no starting at boot (also firewall and as I think most other services). It worked fine in 2.4.3.

    General problem is that latest published version is obviously buggy, and there is no way to rollback.

    @grimson said in 2.4.4 not working, how to rollback?:

    @wanttorollbacktoworkingrelease said in 2.4.4 not working, how to rollback?:
    You can't.

    Of course I know that. And it's VERY VERY BAD!!! There must be a some time (at least one month) to keep previous versions.

    So my latest question is when it will be fixed?



  • @wanttorollbacktoworkingrelease said in 2.4.4 not working, how to rollback?:

    CRL

    Forgive me WTRBTWR but you seem like a troll.. I say that because every one of my installs I have updated are working flawlessly. Your claims seem wild and unproven to me..

    I probably do not have your working config so I can not say your not having problems.. But its many more of my installs against the one your complaining about. So you can imagine that your issue may be something that no one else has run into yet..

    My first recommendation is to take it back a notch. Then explain your config and how its not working. You get more flys with honey or so they say.



  • No, I just was in panic.

    I've checked on clean config (test VM), it works. With one exception - in production CA is an imported intermediate CA. Maybe this is a source of issue? I will try to test it later.

    But you should not disavow that problem exists and it is not just mine - https://forum.netgate.com/topic/137578/upgrade-from-2-4-3-to-2-4-4-failed-no-wan-and-no-webui - absolutely identical. I've fixed it by removing <crlref> from config. But this is not a solution because CRL not work at all.



  • That problem exists if CA imported as a chain (two or more certificates).
    Root CA(s) must be imported.

    PS. Error was:

    Crash report begins.  Anonymous machine information:
    
    amd64
    11.2-RELEASE-p4
    FreeBSD 11.2-RELEASE-p4 #2 b00c407ba5d(RELENG_2_4_4): Mon Nov 26 11:41:48 EST 2018     root@buildbot2.nyi.netgate.com:/build/ce-crossbuild-244/obj/amd64/ZfGpH5cd/build/ce-crossbuild-244/pfSense/tmp/FreeBSD-src/sys/pfSense
    
    Crash report details:
    
    PHP Errors:
    [08-Dec-2018 22:24:41 Europe/Moscow] PHP Fatal error:  Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56
    Stack trace:
    #0 /usr/local/share/openssl_x509_crl/X509_CRL.php(100): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('')
    #1 /etc/inc/certs.inc(1000): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #34, false)
    #2 /etc/inc/certs.inc(1018): crl_update(Array)
    #3 /usr/local/www/system_crlmanager.php(145): cert_revoke(Array, Array, '4')
    #4 {main}
      thrown in /usr/local/share/openssl_x509_crl/X509_CERT.php on line 56
    
    
    
    No FreeBSD crash data found.
    			
    

    Now CRL works except OpenVPN itself

    Dec 8 21:07:23	openvpn	60087	178.130.41.24:59704 VERIFY WARNING: depth=0, unable to get certificate CRL: C=EDITED, ST=EDITED, L=EDITED, O=EDITED, emailAddress=EDITED, CN=EDITED
    Dec 8 21:07:23	openvpn	60087	178.130.41.24:59704 VERIFY WARNING: depth=1, unable to get certificate CRL: C=EDITED, ST=EDITED, O=EDITED, OU=EDITED, CN=EDITED, emailAddress=EDITED
    Dec 8 21:07:23	openvpn	60087	178.130.41.24:59704 VERIFY WARNING: depth=2, unable to get certificate CRL: C=EDITED, ST=EDITED, L=EDITED, O=EDITED, OU=EDITED, CN=EDITED, emailAddress=EDITED
    


  • Nope.. I don't discount that there is an error.. But since we are not affected there is no way for me to know anything is wrong..

    Do you see your issue reported here anywhere? https://redmine.pfsense.org/projects/pfsense/roadmap